One of the ways Google discovers security issues in Android is through its Vulnerability Reward Program. Researchers are able to submit Android vulnerabilities they discover, allowing Google to fix them. To improve the system, Google is adding a new quality rating system for security vulnerability reports that have a higher impact.
Under the new regime, vulnerability reports will be rated as High, Medium, or Low quality based on the amount of detail provided in the report. Google hopes the new system will encourage researchers to submit more detailed reports so it can address the issues more quickly. As a byproduct of this, it expects that researchers will receive higher bounty rewards.
In addition to the report quality rating system, Google is increasing the rewards for the most critical vulnerabilities up to $15,000. This should make it more appealing for researchers to spend time looking for bugs in Android, rather than some other company’s product.
Google said that it’s looking for accurate and detailed descriptions, root cause analysis, proof-of-concept, reproducibility, and evidence of reachability in reports. Google also said it will no longer give moderate severity issues a Common Vulnerabilities and Exposures (CVE) designation but will only do so for critical and high severity issues. If you’re interested in getting involved, check out Google’s public rules page.